From: Alexander Arsenyev (GU/ETL) (alexander.arsenyev@ericsson.com)
Date: Fri Apr 23 2004 - 05:48:43 GMT-3
Hello,
It's probably worth noting that Cisco routers use source port 11000 as starting port for many
TCP-based protocols, not just BGP. This protocol list, however, excludes telnet which use
random starting source port in range 16383+ (at least that's what I saw in my lab, it may vary).
So if You have DLSW, BGP, H.323 voice, LDP (probably, I did not test this) etc
configured on the router then for every outgoing TCP session the router will choose
the source port in 11000+ range in the order the requests are received by router' TCP stack.
It means that BGP sessions' source ports will be interleaved with other protocols' source ports.
To view all TCP sessions with ports on the Cisco router type "show tcp".
BTW, BGP was considered vulnerable long time ago even without this new TCP exploit, see
http://www.nanog.org/mtg-0306/pdf/franz.pdf
HTH,
Cheers
Alex
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brian McGahan
Sent: 22 April 2004 20:11
To: Kenneth Wygand; istong@stong.org; Calton,Doug; ccie; Armand D;
ccielab@groupstudy.com
Subject: RE: TCP vulnerability!
This is not necessarily a function of BGP but instead of how a
TCP session works. In order to reset the TCP session the attacker would
have to know:
1. source IP address
2. destination IP address
3. source TCP port
4. destination TCP port
5. sequence number within the window
TCP works in a client server type model where the client
typically initiates the session with the well known port as the
destination and a (pseudo)random source port. When the server responds
it will use the well known port as the source and a same (pseudo)random
port as the destination.
This implies that the attacker must know the direction of the
flow (which router initiated the BGP session and which responded) in
order to see which is using source 179 and which is using destination
179. In addition to this they would still need to know the random port.
At first it seems that this feature of TCP makes the attack much harder
to implement, as the attacker would have to guess both this random port
plus the sequence number, but if you look closely at the Cisco advisory
it says:
"Cisco IOS software uses predictable ephemeral ports for known services
with a predictable increment (the next port which will be used for a
subsequent connection). These values, while constant for a particular
Cisco IOS software version and protocol, can vary from one release to
another."
With a bit of testing I was able to see that Cisco's BGP
implementation uses port 11000 as a starting point for BGP sessions and
works its way up:
Client:
IP: s=13.0.0.3 (Serial0/1), d=13.0.0.1 (Serial0/1), len 40, rcvd 3
TCP src=11004, dst=179, seq=98379509, ack=207256370, win=16111 ACK
IP: s=13.0.0.3 (Serial0/1), d=13.0.0.1 (Serial0/1), len 59, rcvd 3
TCP src=11004, dst=179, seq=98379509, ack=207256370, win=16111 ACK PSH
Server:
IP: s=13.0.0.1 (Serial1/2), d=13.0.0.3 (Serial1/2), len 59, rcvd 3
TCP src=179, dst=11004, seq=207256370, ack=98379528, win=16092 ACK PSH
IP: s=13.0.0.1 (Serial1/2), d=13.0.0.3 (Serial1/2), len 59, rcvd 3
TCP src=179, dst=11004, seq=207256389, ack=98379547, win=16073 ACK PSH
This is from 12.2(15)T7 Enterprise Basic on a 2600, however I'd
venture to say that this behavior probably stays relatively consistent
between versions and platforms.
So now the attacker knows that either the source or destination
port is 179, and the other port would be around 110xx. Find out what
the addresses are of the neighbors, and start pounding one or both of
them with RST packets that increase in sequence number say by about
15000 and you have a feasible attack. Too bad I don't know how to code
or I'd try it out ;)
Assuming all of your BGP sessions are with directly connected
neighbors this attack isn't hard to prevent. All you have to do is make
sure that a packet from the neighbor doesn't come in any other interface
than the one they are located on. However when you have BGP sessions
that transit other devices this may prove more difficult.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Kenneth Wygand
> Sent: Thursday, April 22, 2004 8:40 AM
> To: istong@stong.org; Calton,Doug; ccie; Armand D;
ccielab@groupstudy.com
> Subject: RE: TCP vulnerability!
>
> Gotta refresh some information on my BGP, but even without any access
> list, wouldn't you be unable to reset a BGP session without a correct
> source/destination pair? Follow my logic...
>
> If the spoofed source isn't right, it would be like having Router A
peer
> to the loopback of Router B and router B trying to peer with Router A
> with Router B's direct connected interface. Won't BGP just throw this
> packet away?
>
> If the destination isn't right (trying to reset a session that's
> connected to the Router B's loopback interface by sending a TCP reset
to
> Router B's directly connected interface), won't the same thing happen?
> Won't BGP just throw this packet away?
>
> And as far as using an access list to limit sessions to using TCP port
> 179, it would seem that would be the only port on which a TCP session
> could be reset, regardless of filtering through an access list.
>
> Am I missing something?
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
> Network+, A+
> Custom Computer Specialists, Inc.
> "The only unattainable goal is the one not attempted."
> -Anonymous
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> istong@stong.org
> Sent: Thursday, April 22, 2004 8:34 AM
> To: Calton,Doug; istong@stong.org; ccie; Armand D;
> ccielab@groupstudy.com
> Subject: RE: TCP vulnerability!
>
> If you were just filtering on source address then it
> wouldn't help a whole lot. But if you filter on specific
> source destination pairs and tcp port 179 you at least make
> it harder. You would have to spoof the source address,
> point to the proper destination address, guess the proper
> source/destination tcp ports and properly guess (within a
> certain window) what the sequence number should be.
> Ultimately you should consider multiple methods of
> prevention as I mentioned in an earlier email.
>
> One interesting thread I have seen lately relates to a
> possible "added vulnerability" by using MD5. The idea is
> that if you add MD5 authentication to your router then it
> will now have to check incoming packets for a proper hash.
> If you send the router a ton of MD5 authenticated bogus
> packets - is there a potential for doing a denial of service
> on the router? Perhaps it's a vulnerability that should be
> of concern - but I would have to test it in a lab to see.
>
> Someone else asked for a link about the vulnerability so I'm
> adding that here:
>
> http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
>
>
> Thanks,
>
> Ian
> http://www.ccie4u.com
> CCIE Lab Scenarios and Rack Rentals
>
>
>
>
> > Assuming the source addr is being spoofed, how would an
> > ACL help? Related to this, I have been thinking - how does
> > the use of a stable source IP (i.e. loopback) affect this
> > vulnerability? I am thinking that standard best practices
> > regarding spoofing filters can prevent or minimize
> > spoofing (BGP-targeted or otherwise) between ebgp sessions
> > on WAN links to peers, if the WAN IP is used to establish
> > the session and isolated subnets were used. iBGP sessions
> > would be harder to prevent, assuming use of a loopback
> > source IP and potential for broadcast media. Thoughts?
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> > On Behalf Of istong@stong.org
> > Sent: Thursday, April 22, 2004 6:28 AM
> > To: ccie; Armand D; ccielab@groupstudy.com
> > Subject: Re: Transmission Control Protocol (TCP)
> > vulnerability!
> >
> >
> > From what I can tell this is not really a new
> > vulnerability. This has been an issue for a long time and
> > the mitigation steps have been recommended for almost as
> > long. It seems the real interest in this vulnerability
> > now stems from the finding that you don't have to know the
> > exact sequence number (a 1/2 to the 32nd chance) but
> > instead just need to be within a window of the correct
> > sequence number.
> >
> > Having said that there are various methods to address the
> > possible threat of someone interrupting your BGP sessions
> > by sending RST or SYN packets. One method is to use MD5
> > authentication on your peers. Another method (or in
> > cunjunction) you can use ACL's to block tcp port 179 down
> > to specific source/destination peers. Lastly you may also
> > want to look into best business practices such as AS
> > filtering and prefix filtering, etc.
> >
> >
> > Ian
> >
> > http://www.CCIE4U.com
> > High End Rack Rentals with IOS 12.2T starting at only $20
> >
> >
> > > ----- Original Message -----
> > > From: "Armand D" <ciscoworks2001@yahoo.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Wednesday, April 21, 2004 8:50 PM
> > > Subject: Transmission Control Protocol (TCP)
> > > vulnerability ???
> > >
> > >
> > > > Hi,
> > > >
> > > > I'm wondering what anyone thinks about the latest
> > > > vulnerability (TCP) specification ? What precautions
> > > > are people taking if any at this point ?
> > > >
> > > > Thanks,
> > > >
> > > > Armand
> > > >
> > > >
> > >
> >
> http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
> > > >
> > > >
> > > > Find local movie times and trailers on Yahoo! Movies.
> > > > http://au.movies.yahoo.com
> > > >
> > > >
> > >
> > > >
> > __________________________________________________________
> > > > _____________ Please help support GroupStudy by
> > > purchasing your study materials from:
> > > > http://shop.groupstudy.com > Subscription information
> > > > may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > __________________________________________________________
> > _____________ Please help support GroupStudy by purchasing
> > > your study materials from: http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > ______________________________________________
> >
> > Check Your Email From Any Where in the World!
> >
> > http://www.myemail.com
> >
> > Tell Your Friends about MyEmail.com!
> > ______________________________________________
> >
> > __________________________________________________________
> > _____________ Please help support GroupStudy by purchasing
> > your study materials from: http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> ______________________________________________
>
> Check Your Email From Any Where in the World!
>
> http://www.myemail.com
>
> Tell Your Friends about MyEmail.com!
> ______________________________________________
>
>
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:53 GMT-3